The Requirement to Decrypt Information in Hong Kong

image_pdfimage_print

LEAs need to intercept communications and conduct covert surveillance for the purpose of crime investigation and prevention and to, amongst other things, thwart the attacks of terrorists. In Hong Kong, the interception of communication and covert surveillance by LEAs are governed by the Interception of Communications and Surveillance Ordinance (“ICSO)[1]. The ICSO provides a statutory regime to regulate the conduct of interception of communications and covert surveillance by designated LEAs. Only the HK Police, the Customs and Excise Department and the Independent Commission Against Corruption (“ICAC”) can conduct interceptions and it must be for the purpose of preventing or detecting serious crime or protecting public security. Recently the ICSO was amended to enhance the effectiveness of the regulatory regime under ICSO and the clarity of a number of provisions in ICSO.[2]

It is and continues to be the common view of the LEAs that interception is a very effective and valuable investigation tool in the prevention and detection of serious crimes and the protection of public security[3]. Interception is the means by which the LEAs can inspect some or all of the contents of the communication by telecommunications systems such as telephone and computer networks.

However, criminals and terrorists have become sophisticated and thanks to the ease of access to encryption tools, communications between criminals/terrorists could be encrypted. Accordingly, even if such communication is intercepted by LEAs, the LEAs might not be able to read the intercepted communications if they do not have the decryption key to decipher the contents of the communication.

Recently, some LEAs in some jurisdictions have resorted to applying to the Courts for an order to compel the communications device or software manufacturer that manufactures the device or software that holds the encrypted communications to come up with software or solutions so that the LEAs can decrypt the encrypted contents and read the communications. If this happens in HK, would the LEAs be able to apply for a court order to compel the device or software manufacturers to come up with decryption solutions to assist the LEAs in deciphering encrypted communications?

Under HK Law, the freedom and privacy of communication of Hong Kong residents shall be protected by law. No department or individual may, on any grounds, infringe upon the freedom and privacy of communication of residents except that the relevant authorities may inspect communication in accordance with legal procedures to meet the needs of public security or of an investigation into criminal offences[4]. No one shall be subjected to arbitrary or unlawful interference with his privacy and everyone has the right to the protection of the law against such interference[5]. There is no law that restricts or prohibits the use of encryption or encryption technologies in communication.  HK residents are at liberty to communicate via encrypted messages or use encryption technologies or tools to encrypt the contents of the communications before transmitting them.

There is also no specific law on decryption that compels anyone to assist officers of the LEAs to decrypt an encoded message or device or to hand over to the officers a key to an encrypted message that is in the possession or knowledge of someone.

While there is no specific law on decryption, for certain cases, there are some legislation that the LEAs could use to obtain information in a legible form or the decryption key. For example, under the United Nations (Anti-Terrorism Measures) Ordinance[6] (“UNATMO”), the Secretary for Justice may, for the purpose of an investigation into a relevant offence (an offence against UNATMO), make an ex parte application to the court for an order for a person or persons to, inter alia, give particulars of the relevant offence under investigation and to produce any materials that reasonably appear to the Secretary for Justice to be relevant to the investigation[7].

If the materials that need to be produced consist of information recorded otherwise than in legible form, an authorized officer (from the HK Police, the Customs and Excise Department, the Immigration Department or the ICAC) may, by notice in writing served on the person, require the person to produce at a specified time and place, or at specified time and places, the material in a form in which it is visible and legible and can be taken away.[8]

The Secretary for Justice has a similar power under the Organized and Serious Crimes Ordinance (“OSCO”) to compel a person to provide materials relevant to the investigation of organised and serious crimes in a form in which it is visible and legible.[9]

A person commits an offence if the person fails to comply with a court order to provide materials relevant to the investigation in a form in which it is visible and legible unless the person has a reasonable excuse not to do so.

There is no definition of the word “legible” in any of the ordinances in HK. The word “legible”, in the context of printed words and documents, is used to denote that the writing or print can be read easily. Arguably, the contents of a material or communication that have been converted by encryption into random and meaningless characters and symbols would be “non-legible” or “illegible” and therefore, in a form other than legible. It thus follows that to put something into a legible form in the context of encrypted contents would mean that the encrypted contents should be decrypted or a decryption key or means of decryption should be provided to the investigators to decrypt the contents.

Under the Official Secrets Ordinance[10] (“OSO”), spying for the enemy is an offence and for investigating such an offence, the Commissioner of Police may apply to the Chief Executive of HK for permission to authorise police officers to require a person to: (i) give any information in his power relating to the offence or suspected offence of spying; and (ii) attend at such reasonable time and place as may be specified by the police officer[11]. If the case is one of great emergency and in the interest of PRC or HK that immediate action is necessary, the Commissioner of Police may exercise the power without applying for permission of the Chief Executive but will only need to report the circumstances to the Chief Executive forthwith.[12]If a person fails to comply with the requirement to give information, then the person commits an offence. The person is not excused from giving the required information on the ground that doing so might self-incriminate or breach a secrecy obligation. Accordingly, if the suspected offence is in relation to spying, a person might be compelled to provide information to decrypt contents of a communication if such contents would be relevant to the offence or suspected offence.

Under the regulatory regime for payment systems and stored value facilities, the HK Monetary Authority as the regulator has power to require the production of records and documents in a legible form or if the information is recorded in an information system, to produce that recording in a form that enables the information to be reproduced in a legible form. Accordingly, if a payment systems or stored value facilities operator have encrypted data that the regulator needs to inspect, the regulator has the power to compel the operator to put it in legible form and arguably, this would mean decrypting the data.

Conclusion

While there is no specific legislation in HK that deals with compulsory decryption of encrypted data or information, there are laws that would enable public officers in the course of preventing or investigating crimes and public security matters to obtain the provision of materials in visible and legible forms. It is submitted that this would include the provision of decrypted contents or means (such as keys etc) for the decryption of encrypted data. However, this would not mean that LEAs in HK can compel other non-related third parties such as device or software manufacturers to come up with solutions to assist the LEAs in decrypting the relevant encrypted materials or communications that might assist in the investigation.

(This article, written by our Partner, Mr Dominic Wai, is also published in the August issue of Cyber Security Law and Practice, www.E-COMLAW.com.)

 

For enquiries, please contact our Litigation & Dispute Resolution Department:
E: criminal@onc.hk                                                             T: (852) 2810 1212
W: www.onc.hk                                                                    F: (852) 2804 631119th Floor, Three Exchange Square, 8 Connaught Place, Central, Hong Kong
Important: The law and procedure on this subject are very specialised and complicated. This article is just a very general outline for reference and cannot be relied upon as legal advice in any individual case. If any advice or assistance is needed, please contact our solicitors.
Published by ONC Lawyers © 2016

 

[1]       Chapter 589 of the Laws of Hong Kong

[2]       Ord. No.21 of 2016 Interception of Communications and Surveillance (Amendment) Ordinance 2016

[3]       Annual Report 2014 to the Chief Executive by the Commissioner on Interception of Communications and Surveillance (June 2015)

[4]       Article 30 of the Basic Law

[5]       S.8, Article 14 of the Hong Kong Bill of Rights Ordinance (Chapter 383)

[6]       Chapter 575 of the Laws of Hong Kong

[7]       S.12A of UNATMO

[8]       S.12A(12) of UNATMO

[9]       S.4 of the Organized and Serious Crimes Ordinance (Chapter 455 of the Laws of Hong Kong)

[10]     Chapter 521 of the Laws of Hong Kong

[11]     Ss.8(1) and (2) of OSO

[12]     S.8(3) of OSO